Let's Talk About Passwords . . .

We use them all the time... everywhere. They are so ubiquitous in our lives that most of us actually neglect their true purpose - keep our information secure.  Add to that, the ever present struggle of having to come up with new passwords all the time! No wonder most of us use bad passwords.
Need more depressing news? Today's computing power is great, but it also enables criminals to have bigger and better chances at cracking your passwords.
What to do?
 The United States National Institute for Standards and Technology (NIST) has new guidelines (currently a draft) for passwords to be used by the public sector of the government. Section 5 of the Draft SP800-63B has some good advice to organizations and users like us.

In a nutshell:

For the users. 
* Passwords should be at least 8 characters and preferably not a dictionary word, or
* Use passphrases. Passphrases are easier to remember (Spots is my 5yr old Labrador) and harder to crack. * Complex passwords (i.e. L@bra0r) are not as secure as they use to be because hackers can find hundreds of combinations of words that may fit your hint question (What race is you dog?)  and it will take them just minutes.
For organizations. The number of suggestions is a lot longer and it clearly shifts the burden of responsibility from the user to the organization. Here are some guidelines provided on the draft.
* Make password policies user friendly and put the burden on the verifier.
* Allow for long passwords (at least 64 characters) and allow for a wider range of special characters.
* Crosscheck selected passwords against lists of known-bad passwords
* No more composition rules forcing to use particular characters or combinations
* No password hits
* No "security" questions (What is your best friend's name?)
* No more expiration date. Passwords should be reset only if they have been compromised.
* No more use of SMS as a two-factor authentication

As pointed out earlier, this is just a draft of suggestions, but the ideas are a big departure from what we are used to do. I personally will start using passphrases instead of one-word passwords... sounds more fun and easier to remember. What is your take?